2.17 Ensure 'clr strict security' Server Configuration Option is set to '1'

Information

The clr strict security option specifies whether the engine applies the PERMISSION_SET on the assemblies.

Rationale:

Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies.

Impact:

If CLR assemblies are in use, applications may need to be rearchitected to eliminate their usage before enabling this setting. To find user-created assemblies, run the following query in all databases, replacing <database_name> with each database name:

USE [<database_name>]

GO

SELECT name AS Assembly_Name, permission_set_desc

FROM sys.assemblies

WHERE is_user_defined = 1;

GO

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'clr strict security', 1;
RECONFIGURE;
GO
EXECUTE sp_configure 'show advanced options', 0;
RECONFIGURE;

Default Value:

By default, this option is Enabled (1).

See Also

https://workbench.cisecurity.org/benchmarks/12777

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-7, CSCv7|18.9, CSCv7|18.11

Plugin: MS_SQLDB

Control ID: 673841b2f74c968dec0a9dfe3a69c98f6f55991afd0a37dc9afbac4b68efc4a9